an orphan branch is just a branch with its own history (starts off with no parents).
you can empty it out and store/track whatever in it.
guix uses it to store gpg pub keys.
to avoid local eval, it can just store a single json file of nixosConfiguration store-paths.
this also keeps track of the history of deployments.
CI:
- builds artifacts and uploads them to a cache
- pushes a json file
{ "hostname": "/nix/store/...blah..." }to the orphan branch
Agent:
- polls orphan branch and does something fancier than this gist:
#!/usr/bin/env bash
set -euo pipefail
TEMPDIR=$(mktemp -d)
trap 'rm -rf "$TEMPDIR"' EXIT
# get cached store-path from json file
git clone --depth=1 --branch="$ORPHAN" "$REPO" "$TEMPDIR"
STOREPATH=$(jq -er --arg h "$(hostname)" '.[$h]' "$TEMPDIR"/cache.json)
# TODO: add all the fancy reboot logic
CURRENT=$(readlink /run/current-system)
if [[ "$CURRENT" != "$STOREPATH" ]]; then
# download cached store-path
nix-store -r "$STOREPATH"
# update profile
nix-env -p /nix/var/nix/profiles/system --set "$STOREPATH"
# activate
"$STOREPATH"/bin/switch-to-configurtaion switch
fi
i can imagine something like this could fit in nicely with comin.
if not, hopefully the idea is not too off and helps a little.